CVE-2024-9318
📋 TL;DR
This is a critical SQL injection vulnerability in SourceCodester Advocate Office Management System 1.0 that allows attackers to execute arbitrary SQL commands via the 'id' parameter in /control/activate.php. The vulnerability can be exploited remotely without authentication, potentially leading to data theft, modification, or system compromise. All users running the affected software are at risk.
💻 Affected Systems
- SourceCodester Advocate Office Management System
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data exfiltration, data manipulation, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized access to sensitive data (client information, case details, user credentials), data manipulation, and potential system takeover.
If Mitigated
Limited impact with proper input validation, WAF rules, and database permissions restricting damage to non-critical data.
🎯 Exploit Status
Public exploit code is available on GitHub. The vulnerability requires minimal technical skill to exploit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.sourcecodester.com/
Restart Required: No
Instructions:
1. Check vendor website for updates
2. If patch available, download and apply
3. Test functionality after patching
🔧 Temporary Workarounds
Input Validation Filter
allAdd input validation to sanitize the 'id' parameter before processing
Modify /control/activate.php to validate/sanitize the id parameter using prepared statements or parameterized queries
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns
Add WAF rule to detect and block SQL injection attempts on /control/activate.php
🧯 If You Can't Patch
- Isolate the system from internet access and restrict to internal network only
- Implement strict network segmentation and monitor all traffic to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Test the /control/activate.php endpoint with SQL injection payloads in the 'id' parameterCheck Version:
Check system version in admin panel or configuration filesVerify Fix Applied:
Test with SQL injection payloads after applying fixes to confirm they are blocked📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in logs
- Multiple requests to /control/activate.php with suspicious parameters
- Database error logs showing injection attempts
Network Indicators:
- HTTP requests to /control/activate.php containing SQL keywords (UNION, SELECT, INSERT, etc.)
- Unusual traffic patterns to the vulnerable endpoint
SIEM Query:
source="web_logs" AND uri="/control/activate.php" AND (request_parameters CONTAINS "UNION" OR request_parameters CONTAINS "SELECT" OR request_parameters CONTAINS "INSERT")🔗 References
- https://github.com/para-paradise/webray.com.cn/blob/main/Advocate%20office%20management%20system/Advocate%20office%20management%20system%20activate.php%20error-based%20SQL%20Injection%20Vulnerability.md
- https://vuldb.com/?ctiid.278822
- https://vuldb.com/?id.278822
- https://vuldb.com/?submit.412749
- https://www.sourcecodester.com/
